TLS security layer - neutrinolabs/xrdp GitHub Wiki

xrdp accepts TLS security layer connections from RDP clients. TLS is more secure than "classic" RDP security, as it is resistant to man-in-the-middle attacks.

How to configure and enable TLS support in xrdp

Obtain an X.509 certificate and a matching private key. These can be generated using the same process for an HTTPS Web server. This is much better documented on other sites, but here is a brief summary, using the OpenSSL suite:

To generate a private key and self-signed certificate:
```
$ openssl req -x509 -newkey rsa:2048 -nodes -keyout key.pem -out cert.pem -days 3650
```
(Note: Self-signed certificates are not recommended if multiple users will be connecting to xrdp, especially if they are using the Microsoft client.)

To generate a private key and certificate-signing request:
```
$ openssl req -new -newkey rsa:2048 -nodes -keyout key.pem -out xrdp.csr
```
The certificate-signing request must be submitted to a certificate authority (CA) in order to receive a signed certificate. See the "Certificate format" section below for details on what you'll need.
Configure xrdp to use the certificate and key files in the xrdp.ini file:
```
certificate=/path/to/certificate_file.pem
key_file=/path/to/key_file.pem
```
By default, xrdp will look for these in /etc/xrdp/cert.pem and /etc/xrdp/key.pem.

Make sure that the key file is readable only by root and the xrdp daemon. (The daemon may be running as the root user, or possibly a dedicated user like xrdp.) It is a secret key, so it must remain secret! If normal users can read it, then that defeats the purpose of TLS.
Also configure xrdp to use TLS, and disallow the inferior RDP security. In xrdp.ini:
```
security_layer=tls
```
Restart xrdp, and connect to it securely using an RDP client! If you are using a self-signed certificate, your client may give you a warning, or might not even allow you to connect.

Certificate format

The certificate should be a Base64-encoded PEM file, which will typically have a filename extension of .pem or .crt.

The certificate file must not be a "certificate chain" in PKCS#7 (.p7b) format. RDP clients will not accept this format. However, a "certificate bundle" file (.ca-bundle), as is normally used by Apache, is known to work.

Microsoft RDP client support

As of this writing, the Microsoft RDP client (version 10.0.18362, protocol 10.7) is known to support TLS v1.2, but not v1.3. Other clients, like xfreerdp, support TLS v1.3. So the following setting should work for all known clients:

ssl_protocols=TLSv1.2, TLSv1.3

(The order of the entries does not matter; the highest version supported by both client and server will be used.)

If xrdp is configured with a valid X.509 certificate from a CA, and the (Microsoft Windows) client has the CA certificate(s) correctly installed, then the client should be able to connect with no warnings and without the need for any technical workarounds. This has been confirmed in a corporate-network setting with an internal CA.

TODO: Figure out status of support for TLS direct connections